Content

Microsoft Releases Fixes for 4 Zero Day Exchange Server Vulnerabilities

Multiple news sources, security researchers and security agencies have reported on a new attack against tens, if not hundreds, of thousands of Internet accessible Exchange servers configured for Secure Sockets Layer (SSL)/Transport Layer Security (TLS) Outlook Web App (OWA) access. These attacks are being carried out by the China nation/state sponsored hacking group known as Hafnium.

The exploit utilizes 4 Zero Day vulnerabilities in Microsoft Exchange software, three in Exchange and one in Unified Messaging Services.

The four Zero Day Microsoft CVEs are as follows:

  • CVE-2021-26855 – allows an attacker to send specific HTTP requests and authenticate to the Exchange Server
  • CVE-2021-26857 – insecure deserialization in Unified Messaging allows remote code execution on Exchange sever
  • CVE-2021-26858 – post authentication arbitrary file write vulnerability in Exchange
  • CVE-2021-27065 – post authentication arbitrary file write vulnerability in Exchange

The result is a persistent web shell that allows attackers to steal data and perform other malicious actions.

Things to consider:

  1. Track the Hosts that the vulnerability scanner identifies as Exchange servers
  2. Report on inventory the existence of hosts with any of the four vulnerabilities required for this exploit
  3. Report on the access from subnets indicated as Internet to Exchange servers via TCP 443
  4. Optional - Report on the access from ALL subnets to Exchange servers via TCP 443

For additional details, contact your RedSeal sales representatives or email [email protected]


Author Bill Burge is senior network security engineer at RedSeal. You can read more RedSeal blogs here.

You can skip this ad in 5 seconds